The IOMMU (also known VT-D on intel or IOV on AMD) is essentially a firewall for PCIE devices. This feature allows dom0 to lock a pcie device to a particular Qube, and so prevent it from accessing or modifying the rest of the system. This helps prevent against DMA attacks aka FireWire attacks, in which an insecure protocol allows a remote machine to simply modify system memory. It also protects against vulnerabilities in device firmware allowing one process from using the more privileged position of a Pci-E device to launch attacks on the rest of the system. This is the basis of the protection provided by sys-net and sys-usb.

PV vs. PVH vs. HVM

PV/PVH/HVM are all different virtual machine modes. HVM includes emulated device drivers via Qemu




WhatIs/IOMMU (last edited 2018-11-21 05:30:01 by admin)